Global network equipment vendors, Ericsson, Huawei, Nokia and ZTE, have successfully completed an assessment of their product development and lifecycle management processes using the GSMA’s Network Equipment Security Assurance Scheme (NESAS).
GSMA NESAS represents a critical industry initiative that increases transparency and incentivises vendors to develop and support network equipment in a way that protects operators and their customers and can underpin national security requirements.
The GSMA said it audited ZTE’s 5G NR and ZXUN USPP product lines, Huawei’s 5G core product line for UDG, UDM, UNC, UPCF, LTE eNodeB and 5G gNodeB, all which passed the first stage of NESAS. Other product lines that were audited include eNodeB, gNodeB from Ericsson and LTE eNB (SRAN), 5G gNB from Nokia Solutions and Networks Oy.
For the second stage of NESAS, network vendors will submit network equipment products to qualified test laboratories for evaluation. This stage involves laboratories running security tests, defined by 3GPP, and checking that the products undergoing evaluation have been developed under the assessed development and lifecycle management processes. The evaluation concludes with the production, by the test laboratory, of a valuation report that records the test results. The report is provided to the vendor who can make it available to its customers and other stakeholders at its discretion.
NESAS is a standardized cybersecurity assessment mechanism jointly defined by GSMA and 3GPP, together with major global operators, vendors, industry partners and regulators. It provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry. It is a voluntary scheme through which network equipment vendors subject their product development and lifecycle processes to a comprehensive security audit against the currently active NESAS release and its security requirements.
GSMA NESAS covers 20 assessment categories, defining security requirements and an assessment framework for 5G product development and product lifecycle processes. Additionally it uses security test cases defined by 3GPP to assess the security of network equipment.